A high-severity vulnerability has been identified in the Easy Video Player plugin for WordPress and WooCommerce, which could allow an unauthenticated attacker to access sensitive files on the web server. Successful exploitation could lead to the disclosure of confidential information, such as database credentials or system configuration files, potentially resulting in a full system compromise. Organizations using the affected plugin are urged to apply the recommended updates immediately to mitigate this risk.

The vulnerability is a Path Traversal, also known as Directory Traversal (CWE-22). It exists because the application fails to properly sanitize user-supplied input that is used to construct a file path. An attacker can exploit this by crafting a malicious request containing "dot-dot-slash" (../) sequences to navigate outside of the intended web root directory and access or read arbitrary files on the server's filesystem, such as wp-config.php or /etc/passwd.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could have a significant business impact by allowing an attacker to read sensitive files containing database credentials, API keys, and other server configuration details. This information leak could serve as a stepping stone for further attacks, leading to a complete compromise of the website, data breaches, service disruption, and reputational damage. The exposure of customer data or proprietary information presents a direct financial and legal risk to the organization.

Immediate Action:

• Identify all WordPress instances running the "Easy Video Player" plugin.
• Update the plugin to the latest version provided by the vendor (FWDesign) to patch the vulnerability.
• If the plugin is not essential for business operations, consider deactivating and removing it entirely to eliminate the attack surface.

Proactive Monitoring:

• Review web server access logs (e.g., Apache, Nginx) for suspicious requests containing path traversal patterns like ../, ..%2f, or ..\.
• Monitor for unusual file access attempts or outbound traffic from the web server that could indicate a successful compromise.
• Implement a file integrity monitoring (FIM) solution to alert on unauthorized changes to critical files like wp-config.php.

Compensating Controls:

• If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block path traversal attempts.
• Ensure the web server process is running with the lowest possible privileges and that file system permissions are hardened to restrict access to sensitive files and directories outside the web root.
• Segment the web server from other critical internal network resources to limit the potential impact of a compromise.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the potential for complete site compromise, we recommend immediate action. All system administrators should prioritize patching the "Easy Video Player" plugin on all WordPress and WooCommerce sites without delay. A comprehensive audit of all installed plugins should also be conducted to identify and remove any non-essential software, thereby reducing the overall attack surface. Although not yet known to be actively exploited, its critical nature makes it a prime target for future attacks, and proactive remediation is the most effective defense.